3 Abstract Information Security with focus on people factor has become a major focus area for all sizes of organizations globally. Because people are those in these organizations who maintain the technology, maintain the day-to-day security processes and influence the security culture of their organizations. In this report, we present a methodology we have developed for Measuring Information Security Maturity in Norwegian and Indian MSME s with and presents the finding of the surveys. The methodology supports the measuring process by defining the parameters for diagnosis in phase 1 and analyzes information security maturity in phase 2 using the three focus areas questionnaire developed, thus discovering strong and weak areas for improving managing information security, security culture and awareness in MSME s. The major findings are presented with recommendations. Overall, the findings show that Norwegian MSME s Information Security Maturity Levels are high compared to Indian MSME s. iii

4 Preface This thesis is a final part of my Masters of Science education at Gjøvik University College. Besides the great interest in the problem itself, the choice was also based on being able to use as much of the acquired theoretical knowledge in practice and also at same time to gain experience on how to measure information security maturity levels in Norwegian and Indian MSME s organizations with. The study had major obstacles for having participants to participant in the Norwegian and Indian Surveys. I kept enormous efforts in reaching the right people for having participants participation in the survey, they use to accept me with a smile, but use to end up with no information due to various reasons, few had no interest, few people use to ignore,few people us to skip off, few people use to be busy with them own priorities of work and so on. But the enormous support from my wife Shirisha and Dr.Bernhard M. Hämmerli has given me high level of motivation for me to work on my thesis. My experience showed me that the best way to make my survey successful is to use my personal and professionals contacts and use their reference for a request for participation. In turn some of them have also supported me giving me more references. I contacted around 1229 companies using personal contacts and Institute of Electronic Governance, Government of Andhra Pradesh. I was also aware that many MSME s in India do not have IT or security department.so getting information on information security maturity was a major obstacle for me. The managing directors and directors were usually busy people and therefore was difficult to get in contact with. I finally managed to get answers from 3 percent out of the 1229 companies I have contacted. As I was in India during my thesis work and was not able to get in direct contact with companies in Norway, I had a concern how I will manage with the Norwegian Survey. But my supervisors have supported me to make me feel that this was not at all a concern for me. They have supported me in making a contact with the CEO of NorSIS to get in touch with right people in MSME s and few other companies details.out of the 20 contacts of NorSIS,40 percent have answered to the survey. In turn, I have also collected 280 companies using Internet search. But that response rate was comparatively very less. I finally managed to get answers from 6 percent out of the 361 sent. First of all I would thank Dr.Bernhard M. Hämmerli and Co- Supervisor Dr.Nils Karlstad Svendsen of Norwegian Information Security laboratory (NISLab) for supervising the planning and work of this study and for pointing me in the right directions at different phases throughout this project. It would not have been possible for me to complete this project if my supervisors, my wife Shirisha, information security industry expert Dr.Thomas Schlienger, Mr. Tore iv

5 Larsen Orderløkken, CEO of NorSIS, Dr.P.Madhav, Director of Promotions, Institute of Electronic Governance, Government of Andhra Pradesh, India and my contact persons have not supported me. Some have helped me getting in contact with the right persons in MSME. Unfortunately I can t mention some names, but I haven t forgotten any of you. I would like to thank the participants who participated in the surveys and who gave valuable feedback to this achieve this project successfully. Finally, I would like to thank my wife Shirisha who is pregant and family who have let me use evenings, weekends, and holidays as well to finish the work. Thank you, all! v

7 4 Survey About this survey Company and Respondent Profile Survey Results on Norwegian MSME s Survey Results on Indian MSME s Comparing the results Comparison on IT Industry Sector Similarities and Differences in IT Industry Sector Comparison on Financial Services Industry Sector Similarities and Differences on Financial Services Industry Sector Comparison on Pharmaceutical Industry Sector Similarities and Differences on Pharmaceutical Industry Sector Comparison on Government and Public Industry Sector Similarities and Differences on Government and Public Industry Sector Comparison on Other Industry Sector Similarities and Differenceson Other Industry Sector Comparison on Micro Enterprises Similarities and Differences on Micro Enterprises Comparison on Small Enterprises Similarities and Differences on Small Enterprises Comparison on Medium Enterprises Similarities and Differences on Medium Enterprises Conclusions and Recommendations Future work Bibliography Appendix vii

11 1.1 Topic covered by the thesis 1 Introduction This report constitutes the documentation for the work related to the Master thesis study in Master s in Information Security at Gjovik University College / Norwegian Information Security Laboratory. Its purpose is to develop a methodology to measure information security maturity levels in Norwegian and Indian MSME s (Micro, Small and Medium) with and recommend a course of actions to improve weak focus areas based on the findings. Information Security [23] is defined as the process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse. In the last years, Information Security with focus on people has become a major focus area for all sizes of organizations globally. Merkow & Jim Breithaupt [23] state that people, process and technology are the three pillars of security. People Processes Technology Figure 1: The People, Process and technology triad[23] People (or employees) in organizations know that security cannot be achieved by just installing technical solutions like IDS, firewalls [18] and implementing processes. Because it is the people in turn in these organizations, who maintain the technology, maintain the day-to-day security processes and influence the security culture of their organizations. So it is important to focus on people factor to measure the security culture, security awareness and how information security is managed in these organizations. Research on the state of information security maturity levels in different industry sectors of large organizations with focus on people, processes and technology was done by Data Security Council of India [8], Deloitte [62], Detecon [3], Devoteam 1

12 Consulting [4], Ernst& Young [9], European Network and Information Security Agency [15],KPMG [22] and Price water coopers [29]. SME s (is defined as Small and Medium enterprises) in developed countries normally have weak comprehension of information security, security technologies and control measures and so, they tend to forget about risk analysis or the development of security policies [21]. This can also be due to the fact that SME s lack the people, processes, technology and specialized knowledge necessary for coordinating information security or offering adequate information or resources on security awareness, training and education. The level of security culture, security awareness and managing information security in MSME s varies in different countries like India and Norway due to cultural differences and people s maturity levels in these organizations. Research on the state of information security maturity level with s is MSME s in India is missing. Therefore, this paper proposes a methodology that can be used to measure the information security maturity levels in Norwegian and Indian MSME s with special focus on people factor. The remainder of the report is structured as follows. In section 2, we will briefly describe the state of art on information security in SME s,the state of research on measuring information security on people s factor, information security management, security culture and security awareness & training programs,. In section 3, we will introduce our methodology used for defining the parameters for diagnosis and measuring information security maturity levels. In section 4, we will present the survey results of Norwegian and Indian MSME s and finally in Section 5, we will conclude and give recommendations based on the findings. 1.2 Problem description The information security in a company does not depend only on the implemented technical solutions and processes maintained in organizations. It is the people in these organizations, who maintain the technology, maintain the day-to-day security processes and influence the security culture of their organizations. Understanding this, the initial focus of this study was to measure information security awareness of employees in Norwegian and Indian MSME s before and after the security campaigns. However, it was discovered in process of discussion with industry expert Dr.Thomas Schlienger [6] that this research is out of the scope as creating security awareness and improving security culture is an ongoing process. Secondly, the same sample of participants might not be able to participate in the survey before and after security awareness campaigns, which may mislead the survey results. Therefore, after discussing with my supervisor Dr.Bernhard Haemmerli about the scope of the topic.we have agreed to narrow down the scope of project to A Methodology for measuring information security maturity in Norwegian and Indian MSME s with 2

13 . After narrowing down the scope of the topic, this report also helps us to answer the following questions, 1. Write about State of research on Information Security in MSME s and State of research on Measuring Information Security on People Factor, Information Security Management, Security Culture and Security awareness & training programs 2. A Methodology for Measuring Information Security Maturity in organizations with 2. Make a survey using the Methodology in Norwegian and Indian MSME s. 3. Compare the results of both regions 4. Evaluate the results and propose recommendations based on findings. 1.3 Justification, motivation and benefits Most MSME s (Micro, Small and Medium Enterprises) today have weak comprehension of security technologies, maintaining security processes and managing information security. Secondly, people or employees in these organizations are those who take care of technology, manage day to day security processes, influence the environment or manage security in their organizations. So it is important to focus on people factor to understand the maturity levels of Norwegian and Indian MSME s organizations with respect to the security culture, security awareness and how information security is managed in these organizations. A good organization capability to remain secure is important and something that must be built. We, therefore wish to measure the information security maturity levels of Norwegian and Indian MSME s with. The findings of this report can also be used as a heath indicator for creating security awareness in MSME s organizations and use it for future benchmarking. Stakeholders for such Measurement would typically be Managing Directors/Director, Chief Information Security Officers, security managers, people working in information security office, General Managers, Information Technology Executives or employees in micro, small, medium companies in Norwegian and Indian Companies. 1.4 Research questions To measure information security maturity levels in Norwegian and Indian MSME s with is not known at the initial stage of this project, So we have come with the following research questions, 1. What is the State of Information Security in MSME s? 2. How do organizations measure information security maturity levels with? 3. What is the State of research on, Information Security Management 3

14 Information Security Culture Information Security Awareness and Training Programs o Raising the Level of Security Awareness o Measuring Information Security Awareness o Metrics for Measuring People Factor o Making an Effective Security Awareness Campaign To answer all these questions we will have to have a close look at what has already been done in this area in the state of art section. 1.5 Delimitations The focus of this measurement study is limited to Norwegian and Indian MSME s.the survey questionnaire is distributed to the respondents in India between August 1 st and October 23rd 2010 and October 1 st to 23 rd October in Norway. The results will compared as of 23 rd October survey results for both Norway and India and not with equal participants results in Norway and India as both regions were not started at the same time. The state of art collected or literature used is confined mainly to English language, as I am not aware of Norwegian language. Taking the time factor, the report will be confined only for measuring information security maturity levels with focus on people factors by taking feedback only from individuals in MSMEs. The research information available on SME s is assumed as relevant information for MSME s. 1.6 Data collection Our research and key findings consist of electronic published articles on internet, research done by industry experts and market survey reports by Forrester Research, Ernst& Young, Deloitte, KPMG, Price Waterhouse Coopers, Data Security Council of India, European Network and Information Security Agency and among others mentioned in the bibliography. 1.7 Definitions Information Security According to Mark Merkow, Jim Breithaupt [23], Information Security is defined as the process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse Information Security Maturity According to Suhazimah Dzazali [30], Information Security Maturity is the 4

15 measurement of the organization s capability to remain secure. Here in this report for Measuring Information Security Maturity, we measure how information security is managed, security policies implemented, present status of security culture and security awareness & training programs Information Security Management According to Mark Merkow, Jim Breithaupt [23],Information Security Management is defined as the process of managing day to day security work, training and awareness of security programs and how compliance to security policies are handled. Others areas addressed within Security Management are activities related to information classification, risk management concept and techniques, and security roles and responsibilities to assure ongoing organizational security consciousness Information Security Culture According to Dr.Thomas Schlienger and Stephanie Teufel [32], Information Security Culture is defined by defining Organisation Culture, Organization culture is defined how an employee sees the organization. It is collection phenomenon that grows and changes over time and, to some extent, it can be influenced by the management. Organizational culture has different subcultures based on sub organizational or functions. Information security culture is a subculture in regard to general corporate functions. It should support all activities so that information security becomes a natural aspect in the daily activities of every employee Information Security Awareness According to Information Security forum (ISF) [17], Information security awareness is the degree or extent to which every member of staff understands the importance of information security, the level of information security appropriate to the organization and their individual security responsibility Effective Security Awareness According Information Security forum (ISF) [17], Effective security awareness is defined as an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change. This definition comprises four key elements, which are shown in the figure below, 5

16 Figure 2: Effective Security Awareness[17] According to NIST [26]. Awareness, Training and Education is defined as, Awareness: Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities the learner is a recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance NorSIS The Norwegian Centre for Information Security (NorSIS) [28] is an organization supported by private organizations and government for coordinating activities related to ICT security in Norway. The primary target group of NorSIS is the small and medium enterprises and the public authorities. NorSIS reaches its objectives through: making the public aware of the importance of information security by means of training and information; compiling of guidelines and tutorials to help solve specific problems; and establishing an overall awareness towards information security. 6

17 2.1 Information Security in MSMEs 2 Review and state of art What is the State of Information Security in MSME s? According to Dojkovski Sneza,Sharman,Waren [5][21].MSME s in developed countries generally have a weak understanding of information security management, security technologies and control measures, and neglect to carry out risk assessments or develop security policies. This may be because MSME s lack the funds, time and specialized knowledge to coordinate information security or offer adequate information security awareness, training and education.msme s owners are not supportive of information security in terms of budget or time, thus impacting the level of security awareness and security technology. They also further point out that they are lacking specialized knowledge of security technologies, MSME s often retain the security technologies with which they are already familiar. 2.2 Measuring the State of Information Security with focus on People Factor In this part, the research on measuring the state of information security is presented. This research has helped me for narrowing down the focus areas on the people factors and preparing the questionnaire. To measure the level of Information Security in large companies consulting companies like Deloitte [2],Ernst& Young [9], Forrestor Research [19][20], KPMG[22],Price Water Coopers [29] has done a number of surveys globally every year taking feedback from large and multinational organizations. European agencies or organisations like Detecon [3], devoteam [4] ENISA [11] has done surveys for the European market specifically. Data Security Council of India [14] along with KPMG has done a survey to measure the maturity levels in Indian Industry. According to publication by ENISA (European Network and Information Security Agency ) on Dr.Thomas Schlienger [12],Security Culture improves the security level of the whole organization. Potential losses by cyber attacks, computer abuse and industrial espionage can be prevented. A good security culture should support all activities in such a way that information security becomes a natural aspect of the daily activities of every employee. Dr.Thomas Schlienger has developed a model how can a good security culture be fostered and awareness be raised? 7

18 How to Manage According to ENISA [12] and Dr.Thomas Schlienger [6], Information Security Culture, like organizational culture, cannot be created once and then used indefinitely without further action or modification. It must be maintained or modified continuously. It is a never ending process, a cycle of analysis and change. Figure 3: Information Security Culture Assessment Process[6][12] In the process model presented by Dr.Thomas Schlienger, the first step is to analyze the actual information Security Culture (assessment). If the culture does not fit with the organization s targets, the culture must be changed. If it fits, it should be reinforced. The necessary actions must be chosen (planning) and realized (implementation). The success of the actions taken must then be checked and learning is specified (evaluation). How to measure Dr..Thomas Schlienger have a set of methods for measuring security awareness and culture. One of the main contributions of Dr.Thomas Schlienger research work was the development of an analysis framework to measure the level of security culture. 8

19 Understanding the difficulties in different culture. Dr.Thomas Schlienger has also developed a standardized questionnaire on the basis of an organizational behavior model, which is integrated in an assessment tool. The tool measures the three layers of organizational behavior: organization, group and individual, with in all below twenty areas (e.g. work and technology design, communication, attitude etc.) as in the figure. Figure 4: Information Security Culture Radar [6][12] The tool allows comparison of the Information Security Cultures between different organizations (benchmarking) or that of a Culture within the same organization over different points in time. This method and tools helps to bridge this gap by allowing organizations to systematically analyze their information security culture, to quickly identify weaknesses and improvement actions and to prove progress in Information Security Culture. This tool also helps to support the advantage of shorter project cycles, higher work quality processes and best practices, less resources (time, budget, manpower) and leads to a sustainable improvement in the security culture. Suhazimah Dzazali [30] has done an empirical study to measure the information security maturity and social factors of an organization. The questionnaire was structured based on the below 10 subjects from section 1 to section 10.This emphirical study by Suhazimah Dzazali helps in preparing the questionnaire on the focus areas in this thesis work. 9

20 Table 1: Subjects areas[30] Information Security Management (ISM) According to Alnatheer,Mohameed and Nelson [25],ISM standards are used to establish and maintain a secure environment for information. ISM help senior management to monitor and control their security, thus minimizing any business risk and ensuring that security continues to fulfill corporate, customer, and legal requirements. The overall goal of ISM is the prevention or minimization of damage to organizational assets. ISM can enhance organizations performance, and its establishment in the normal way of doing business. They also state that information security and its management are concerned with people, processes and technology and the technology itself can be seen as relatively objective by nature; the people and processes are influenced by the environment in which they operate.as mentioned [23],ISM is defined as process of managing day to day security works,training and awareness of security programs and compliance to security policy. Alnatheer,Mohameed and Nelson [25] has also stated that Information security policy helps to define the users rights and responsibilities in terms of information within an organization. Effective information security policies will help users understand what is acceptable and responsible behavior in information resources and will assist in establishing a safe information environment. Information security policy is an essential part of security practices within organizations and could substantially influence on their organizational security. Without a policy, security practices will be developed without clear demarcation of objectives and responsibilities, and will face major difficulties when implementing ISM System effectively in their organizations infrastructures. As a result, organizations cannot achieve effective ISM system without the establishment, implementation, and maintenance of an information security policy. In addition, the formulation and utilization of information security policy can enhance the effectiveness of ISM system. 10

Chapter 6 Development trend 3: Cultivating an Information Security Culture 6.1 Introduction This chapter will investigate the third development trend of the institutional wave as described by Von Solms.

Evaluation and Inspection Division Federal Bureau of Investigation s Integrity and Compliance Program November 2011 I-2012-001 EXECUTIVE DIGEST In June 2007, the Federal Bureau of Investigation (FBI) established

Response on the Green paper; Promoting the learning mobility of young people Learning by leaving a joint conference for European mobility networks, was arranged in Uppsala on the 19-20 of November 2009,

Community engagement: Developing a strategy Some questions to help with planning... This guidance outlines some important things to consider when planning a community engagement strategy for your project

Executive Summary Security metrics support the value proposition of an organization s security operation. Without compelling metrics, security professionals and their budgets continue largely on the intuition

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical

Water Conservation: A Guide to Promoting Public Awareness A. Introduction Security of freshwater is emerging as a global issue owing to steadily increasing use of limited resources by a growing population,

An Evaluation of Privacy and Security Issues at a Small University Abstract by Michael North Carolina Agricultural and Technical State University mejones@ncat.edu Colleges and universities process large

January 2016 Communications Manager: Information for Candidates Thank you for expressing interest in the role of Communications Manager. We have compiled this information pack to tell you more about The

developing your potential Cyber Security Training The benefits of cyber security awareness The cost of a single cyber security incident can easily reach six-figure sums and any damage or loss to a company

TEL2813/IS2820 Security Management Developing the Security Program Jan 27, 2005 Introduction Some organizations use security programs to describe the entire set of personnel, plans, policies, and initiatives

Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

Study program Faculty Cycle Software and Application Development (60 ЕCTS) Contemporary Sciences and Technologies Postgraduate ECTS 60 Offered in Tetovo Description of the program The objectives of the

Internet Security Awareness Program in Georgia funded by ISOC Community Grants Programme Final Report July, 2011 Prepared by David Tabatadze Project Coordinator info@isap.ge Project Overview With the internet

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY INTRODUCTION Information security has evolved. As the landscape of threats increases and cyber security 1 management becomes

This booklet is intended to support your existing revision in your final approach to the first A2 ICT exam. Continue using the past papers, revision materials and revision exercises that you are already

Global Corporate IT Security Risks: 2013 May 2013 For Kaspersky Lab, the world s largest private developer of advanced security solutions for home users and corporate IT infrastructures, meeting the needs

Improving Residual Risk Management Through the Use of Security Metrics Every investment in security should be effective in reducing risk, but how do you measure it? Jonathan Pagett and Siaw-Lynn Ng introduce

Security Awareness Training Policy I. PURPOSE This policy is intended to set the training standard for several key audiences in Salem State University, including, but not limited to: University executives,

Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

SECURITY ORGANISATION Security Awareness and the Five Aspects of Security Shift Security simply used to protect information vs. Enabling business initiatives with security Bolt-on/add-on structure to business

Final text: 06/04/10 Good practice Public Service Unit Function Review 2009 Purpose The purpose of this paper is to outline recommendations on good practice communications unit models and guidelines for

You wouldn t leave the door to your premises open at night. So why risk doing the same with your network? Most businesses know the importance of installing antivirus products on their PCs to securely protect

Blakeley Heath Primary School E-Safety Policy Development / Monitoring / Review of this Policy This e-safety policy has been developed by a working group made up of: Headteacher Coordinator Staff including

DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible

For Information on 8 July 2013 LC Paper No. CB(4)834/12-13(05) Legislative Council Panel on Information Technology and Broadcasting Information Security Purpose This paper updates Members on the latest

Online Marketing and Social Media ( Module 1 ) How the Internet has Impacted Marketing? The internet has developed very rapidly as a major force in the marketing equation for many consumer products. Not

Introduction This e-safety policy was approved by the School Senior Leadership Team: January2015 The implementation of this e-safety policy will be monitored by the: E-Safety Coordinator, Senior Leadership

The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

The Business Value of Call Accounting Software How Call Accounting Helps Reduce Telecom Expenses and Improve Productivity WhitePaper We innovate. You benefit. The Business Value of Call Accounting Software

Monitoring and Evaluation Plan Primer for DRL Grantees I. What is a monitoring and evaluation plan? A monitoring and evaluation plan (M&E plan), sometimes also referred to as a performance monitoring or

SYSTEM DEVELOPMENT AND THE WATERFALL MODEL What is a System? (Ch. 18) A system is a set of integrated components interacting with each other to serve a common purpose. A computer-based system is a system

Cyber Security - What Would a Breach Really Mean for your Business? August 2014 v1.0 As the internet has become increasingly important across every aspect of business, the risks posed by breaches to cyber

Implementation of a Quality Management System for Aeronautical Information Services -1- Implementation of a Quality Management System for Aeronautical Information Services Chapter IV, Quality Management

Acceptable Use of Information Systems Standard Guidance for all staff 2 Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not

Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

Over 25 Years of Public School Community Relationship Building Experience PUBLISHING AN E-NEWSLETTER BUILDS SUPPORT FOR YOUR SCHOOL DISTRICT: MAKING THE CASE Position Paper by Ira W. Yellen, APR, Fellow

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

SECTION E: COMMUNICATION SCHOOL DISTRICT COMMUNICATION GUIDELINES INDIVIDUAL TRUSTEE SCHOOL STAFF MEMBER PARENT SCHOOL COUNCIL TEACHER PRINCIPAL AREA SUPERINTENDENT CHIEF SUPERINTENDENT BOARD OF TRUSTEES

ICT Indicators ICT value for money indicators guidance 1) Introduction This document sets out the indicators for the ICT Function. The guidance below starts by defining the scope of the function and goes

Approximately 90% of the people you find on the internet in today s world know at least one social network and are registered as an active user on it. The imminence and influence of social media is what

WHITE PAPER: 2012 ENDPOINT SECURITY BEST PRACTICES SURVEY........................................ 2012 Endpoint Security Best Practices Survey Who should read this paper Small and medium business owners

Summary of ESD S Proposal for the NIST s New York MEP Designation The NY MEP Center hopes to continue providing manufacturing extension services to enhance the productivity and technological performance